ISASecure Web

ConferenceDeep dive into IEC62443-3-3, IEC62443-4-1, and IEC62443-

4-2, IEC62443-3-2

Kevin Staggs – Senior Fellow

12 October 2020

1

About the

Speaker

Kevin Staggs

Senior Fellow

Kevin Staggs possesses over 43 years of experience

in hardware, software and systems engineering at

Honeywell with 39 years focused on control systems.

Mr. Staggs has been driving product cybersecurity

development since 1996. Mr. Staggs is currently a

Senior Fellow in Honeywell’s Advanced Connected

Technology Solutions organization and serves as a

cybersecurity consultant to Honeywell’s product

development organizations. Mr. Staggs currently

serves as co-chairperson of ISA99 working group 4

and is also the technical Chairman of the ISA Security

Compliance Institute - a non-profit organization seeking

to improve ICS security through standards compliance.

2

Agenda

IEC 62443 Overview

Roles and Relationship to Standard

Control System Lifecycles

IEC-62443-3-2 Overview

IEC-62443-3-3 Overview

IEC-62443-4-2 Overview

IEC-62443-4-1 Overview

Compliance to IEC-62443

3

IEC 62443 Standards Family

Gen

era

lP

olicie

s &

Pro

ce

du

res

Sys

tem

Co

mp

on

en

t

Concepts and modelsMaster glossary of

terms and abbreviations

Security system

conformance metrics

IACS security lifecycle

and use cases

Security program

requirements for IACS

asset owners

IACS Security Protection

Ratings

Patch management in

the IACS environment

Security program

requirements for IACS

service providers

Security technologies

for IACS

Security risk assessment

for system design

System security

requirements and

security levels

Product security

development life cycle

requirements

Technical security

requirements for IACS

components

62443-1-462443-1-1 62443-1-2 62443-1-3

62443-2-1 62443-2-2 62443-2-3 62443-2-4

62443-3-1 62443-3-2 62443-3-3

62443-4-1 62443-4-2

Implementation guidance

for IACS asset owners

62443-2-5

4

General Principles

Security Context

Security Objectives

Response Elements (People, Process Technology)

Risk-Based Approach

Compensating Countermeasures

Least Privilege

Defense in Depth

Supply Chain Security

Security and SafetySource: ISA-62443-1-1, 2nd Edition (Under development)

5

5

Fundamental Concepts

System Taxonomy

Principal Roles

Life Cycles and Processes

Zones and Conduits

Security Levels

Maturity

Security Program Rating

6

Source: ISA-62443-1-1, 2nd Edition (Under development)

Roles and Applicable Standards

IACS environment

Independent of IACS environment

Roles

Industrial automation and control system (IACS)

maintains

operates

accountable for

designsand deploys

commissionsand validates

Asset Owner

Maintenance Service Provider

Integration Service Provider

developsand supports

Includes configured products(control systems and components)

Role

ProductSupplier

Products

Components

Supporting software

applications

Embeddeddevices

Networkdevices

Hostdevices

Control systems(as a combination of

components)

ZoneZone

Automation Solution

Essential functions

Controlfunctions

Safetyfunctions

Complementary functions

Operation and routine maintenance according tosecurity policies and procedures

2-1

2-4 3-2 3-3

4-1 4-2 3-3

7

Control System LIfecycles

8

Based on VDI 2182

8

System Security

62443-3-1

Security Technologies

Technical Report

62443-3-2

Risk Assessment and System Design

International Standard

62443-3-3

System Requirements and Security Levels

International Standard

9

Component Security

62443-4-1

Product Development Requirements

International Standard

62443-4-2

Technical Requirement for Components

International Standard

10

IEC-62443-3-2 Overview

Document title

Security risk assessment for system design

Document defines a process for:

defining a system under consideration (SUC) for an industrial automation and

control system (IACS);

partitioning the SUC into zones and conduits;

assessing risk for each zone and conduit;

establishing the target security level (SL-T) for each zone and conduit; and

documenting the security requirements.

11

IEC-62443-3-2

Process

12

Zones and Conduits

A means for defining…

How different systems interact

Where information flows between systems

What form that information takes

What devices communicate

How fast/often those devices communicate

The security differences between system components

Technology helps, but architecture is more important

13

IEC-62443-3-3 Overview

Document title

System security requirements and security levels

Document defines:

Technical security capabilities for a control system;

Derived from the 62443 Foundational Requirements;

Defines system security capability levels;

Based on adversary capabilities;

Increasing security capability levels address increasing risk;

Organized as base requirements and requirement enhancements;

Requirement enhancements increase security capability level.

14

Foundational Requirements

FR 1 – Identification & authentication control

FR 2 – Use control

FR 3 – System integrity

FR 4 – Data confidentiality

FR 5 – Restricted data flow

FR 6 – Timely response to events

FR 7 – Resource availability

15

Foundational Requirements

FR 1 – 13 system requirements – 11 requirement enhancements

FR 2 – 12 system requirements – 12 requirement enhancements

FR 3 – 9 system requirements – 10 requirement enhancements

FR 4 – 3 system requirements – 3 requirement enhancements

FR 5 – 4 system requirements – 7 requirement enhancements

FR 6 – 2 system requirements – 1 requirement enhancement

FR 7 – 8 system requirements – 5 requirement enhancements

16

Security Levels

17

Protection against…

IEC-62443-3-3 Security Levels

18

IEC 62443-4-2 Overview

Document title

Technical security requirements for IACS components

• Derived component requirements from 62443-3-3

• Defines component types that make up a control system:

• Host device

• Network device

• Embedded device

• Application

• ICS Component may contain multiple types

• Requires that components be developed with a Secure Software Development Process (62443-4-1)

19

Component Type Definitions

• Embedded device

• special purpose device designed to directly monitor or control an industrial process

• Host device

• general purpose device running an operating system (for example Microsoft Windows OS or Linux) capable of hosting one or more software applications, data stores or functions from one or more suppliers

• Network device

• device that facilitates data flow between devices, or restricts the flow of data, but may not directly interact with a control process

• Software application

• one or more software programs and their dependencies that are used to interface with the process or the control system itself (for example, configuration software and historian)

• Examples included in Annex A of standard

20

ISA/IEC 62443-4-2 Requirements

• Common security constraints for all component types

• Essential functions

• Compensating countermeasures

• Least privilege

• Software development process

• Follows the Security Level – Capability model from 62443-3-3

• Most requirements are common for all component types

• Component specific requirements

• Designated by SAR, EDR, HDR, and NDR

• Introduction of component specific integrity requirements

21

Security Levels (Annex B)

CRs and REs SL 1 SL 2 SL 3 SL 4FR 3 – System integrity (SI)

CR 3.1 – Communication integrity✓ ✓ ✓ ✓

RE (1) Communication authentication✓ ✓ ✓

SAR 3.2 – Protection from malicious code✓ ✓ ✓ ✓

EDR 3.2 – Protection from malicious code✓ ✓ ✓ ✓

HDR 3.2 – Protection from malicious code✓ ✓ ✓ ✓

RE (1) Report version of code protection✓ ✓ ✓

NDR 3.2 – Protection from malicious code✓ ✓ ✓ ✓

CR 3.3 – Security functionality verification✓ ✓ ✓ ✓

RE (1) Security functionality verification during normal

operation ✓

CR 3.4 – Software and information integrity✓ ✓ ✓ ✓

RE (1) Authenticity of software and information✓ ✓ ✓

RE (2) Automated notification of integrity violations✓ ✓

22

IEC 62443-4-1 Overview

• Document title

• Product security development lifecycle requirements

• Defines product development lifecycle requirements

• Control system components and systems

• Drives security documentation for system integrators and end users

• Defines requirements for supplier response to discovered security vulnerabilities in products and systems

• Defense in depth approach applied to development processes

• Defines development process maturity levels

23

IEC 62443-4-1 Development Practices

• Security management

• Specification of security requirements

• Secure by design

• Secure implementation

• Security verification and validation testing

• Management of security-related issues

• Security update management

• Security guidelines

24

Defense

-in-

depth

strategy

Security by

design

Secure

implementation

Security

V&V

testing

Security

guidelines

Specification

of security

requirements

Security

management

Maturity of the Development Process

A means of assessing capability

Similar to Capability Maturity

Models

e.g., SEI-CMM

An evolving concept in the standards

Applicability to IACS-SMS

25

25

IEC 62443-4-1 Maturity Levels

• Initial

• Ad-hoc product development practices

• Managed

• Documented development practices

• Demonstration of repeatability of practices

• Defined (Practiced)

• Evidence all practices are followed and managed

• Improving

• Feedback for consistently improving practices

26

Summary of 4 standards

• IEC-62443-3-2 is a standard that should be:

• Utilized by system integrators

• IEC-62443-3-3 is a standard that should be:

• Implemented by system suppliers

• Utilized by system integrators and end users as procurement language

• IEC-62443-4-2 is a standard that should be:

• Implemented by control system component providers

• Utilized by system integrators and end users as procurement language

• IEC-62443-4-1 is a standard that should be:

• Implemented by developers of control systems and components

• Required in procurement language of control systems and components

27

28

IEC-62443 Compliance Certifications

Compliance to IEC-62443 standards can be certified, for example:

1. ISASecure® Component Security Assurance (CSA) product certification

ISA/IEC 62443-4-2

ISA/IEC 62443-4-1

2. ISASecure® System Security Assurance (SSA) product certification

ISA/IEC-62443-3-3

ISA/IEC 62443-4-1

3. ISASecure® Security Development Lifecycle Assurance (SDLA) process certification

ISA/IEC-62443-4-1

29

Where to find certifications

ISASecure® (CSA) certified components

https://isasecure.org/en-US/End-Users/IEC-62443-4-2-Certified-Components

ISASecure® (SSA) certified systems

https://isasecure.org/en-US/End-Users/IEC-62443-3-3-Certified-Systems

ISASecure® (SDLA) certified product development lifecycles

https://isasecure.org/en-US/End-Users/IEC-62443-4-1-Certified-Development-Organizations

Summary

• End users:

• Utilize system integrators that utilize IEC-62443-3-2 methodologies;

• Procure systems that are compliant (certified) with IEC-62443-3-3;

• Procure control system components compliant (certified) with IEC-62443-4-2; and

• Select vendors that have a product development lifecycle compliant (certified) with IEC-62443-4-1.

30

Thank you

• For more information visit:

https://isasecure.org/en-US/

31